CVE-2026-22733
Received Received - Intake
Authentication Bypass in Spring Boot Actuator Affects Spring Security

Publication date: 2026-03-20

Last updated on: 2026-04-23

Assigner: VMware

Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints.Β This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22733
EUVD
EUVD-2026-13349
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_boot to 2.7.32 (exc)
vmware spring_boot From 3.3.0 (inc) to 3.3.18 (exc)
vmware spring_boot From 3.4.0 (inc) to 3.4.15 (exc)
vmware spring_boot From 3.5.0 (inc) to 3.5.12 (exc)
vmware spring_boot From 4.0.0 (inc) to 4.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

I don't know

Impact Analysis

This vulnerability can allow attackers to bypass authentication controls on affected Spring Boot applications. As a result, unauthorized users may gain access to sensitive application endpoints that are supposed to be protected, potentially leading to exposure of sensitive data or unauthorized actions within the application.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-22733 is a high-severity authentication bypass vulnerability that affects Spring Boot applications using Actuator and Spring Security. It occurs when an application endpoint that requires authentication is declared under a subpath of the CloudFoundry Actuator endpoints, such as "/cloudfoundryapplication/admin". This misconfiguration can cause authentication controls to be bypassed, allowing unauthorized access.'}, {'type': 'paragraph', 'content': 'The vulnerability requires all of the following conditions: the application is a web application, the Actuator dependency is present, the Spring Security dependency is present, and the application contributes an authenticated endpoint under a CloudFoundry Actuator subpath.'}, {'type': 'paragraph', 'content': 'Affected Spring Boot versions include 4.0.0 to 4.0.3, 3.5.0 to 3.5.11, 3.4.0 to 3.4.14, 3.3.0 to 3.3.17, and 2.7.0 to 2.7.31.'}] [1]

Mitigation Strategies

The primary mitigation for this vulnerability is to upgrade the affected Spring Boot and Spring Security versions to the fixed releases.

  • Upgrade Spring Boot 4.0.x to 4.0.4 (Open Source)
  • Upgrade Spring Boot 3.5.x to 3.5.12 (Open Source)
  • Upgrade Spring Boot 3.4.x to 3.4.15 (Commercial)
  • Upgrade Spring Boot 3.3.x to 3.3.18 (Commercial)
  • Upgrade Spring Boot 2.7.x to 2.7.32 (Commercial)

No additional mitigation steps are necessary beyond upgrading. It is also advised to avoid mapping application endpoints under infrastructure endpoints like Actuators to prevent configuration conflicts.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart